Home » Featured » Hotspot Shield VPN is Leaking Users Data and Location
Click Here To Hide Tor

Hotspot Shield VPN is Leaking Users Data and Location

A security researcher has found that one of the world’s largest Virtual Private Network (VPN) providers is leaking users private information. Hotspot Shield, which has been downloaded over half a billion times and has been in operation for over a decade, has a bug which can reveal what country a user is located in, as well as leak the name of the WiFi network they are using. The vulnerability in Hotspot Shield’s VPN service was discovered by Paulos Yibelo. Yibelo reported his findings to Beyond Security’s SecuriTeam Secure Disclosure program.

“By disclosing information such as WiFi name, an attacker can easily narrow down or pinpoint where the victim is located,” Paulos Yibelo told ZDNet. When an attacker knows what country a Hotspot Shield VPN user is from, they “can narrow down a list of places” their victim is from, Yibelo said. The vulnerability in Hotspot Shield’s VPN service was tested by ZDNet using a proof-of-concept code that Yibelo wrote. Using Yibelo’s code they were able to identify users WiFi networks, and the vulnerability kept working when tried from different computers and different network.

Yibelo was able to write his proof-of-concept code very quickly, and it is only a few lines long. The code exploits a vulnerability in the local web server installed by Hotspot Shield. Private information and configuration data are returned when the exploit calls a JavaScript file being hosted on the web server. The private information of Hotspot Shield VPN users could be captured and stored from an infected website. According to Yibelo, he was able to successfully obtain Hotspot Shield VPN users IP addresses, though he was only having mixed results and was not always able to successfully capture real IP addresses. In their own testing, ZDNet was unsuccessful in obtaining any real IP addresses of Hotspot Shield VPN users.

The developer of Hotspot Shield VPN, AnchorFree, Inc., is strongly denying that any user’s real IP addresses are being leaked through the vulnerability discovered by Paulos Yibelo. “We have reviewed and tested the researcher’s report. We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information,” AnchorFree’s Tim Tsoriev said in a statement.

After Yibelo discovered the vulnerability in Hotspot Shield VPN, he reported it to AnchorFree in December of last year but never received a response from the company. Yibelo then submitted the vulnerability to Beyond Security through their bug bounty program. Beyond Security also did not receive a response from AnchorFree. However, in February, AnchorFree finally addressed the issue with a new version of Hotspot Shield VPN which was recently released. The new version of Hotspot Shield VPN patches the vulnerability discovered by Yibelo.

Last year Hotspot Shield VPN was accused by the Center for Democracy & Technology of selling their customers private information. A formal complaint was filed with the United States Federal Trade Commission (FTC) in which they allege that Hotspot Shield was guilty of employing unfair and deceptive trade practices. AnchorFree claimed that they did not collect any personal information about Hotspot Shield VPN users. Hotspot Shield VPN comes in both a free version, as well as a paid “Elite Version” subscription. The Center for Democracy & Technology discovered that Hotspot Shield VPN was sharing information after analyzing the VPN using Carnegie Mellon University’s Mobile App Privacy Compliance automated system on the free version of the Hotspot Shield VPN service.

Be sure to check out DeepDotWeb’s VPN Comparison Chart to find the best VPN services available.

One comment

  1. This is why it’s imperative to take the protection a VPN has to offer with a grain of salt. Even the good ones. From the VPN’s perspective they may not even know about the bug. This is how NSA compromises VPNs. Effectively rendering them useless against global adversaries. Nothing beats a good security oriented OS like Qubes or Subgraph. Or using a Linux distro of your choice with Tor browser wrapped in Apparmor and inside a sandbox. VPN is fine for torrenting, avoiding ISP, and maybe avoiding local and state government detection (only if your VPN is truthful about not logging activity, IPs, and VPN IPs). Do note, ALL VPNS LOG BANDWIDTH!!! Even if they say no logs ever. A reputable VPN firm cannot keep optimal functioning servers without logging bandwidth, it’s simply not possible.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *